System and method for interception of IP traffic based on image processing

ABSTRACT

Methods and systems for monitoring communication traffic in communication networks, such as Internet Protocol (IP) traffic transferred over the Internet or over a wireless network. The disclosed techniques identify communication traffic that is associated with target individuals, by extracting digital images from the traffic and recognizing target individuals who appear in the images. A correlation system monitors communication sessions that are conducted in a communication network to identify known target individuals who appear in images. Upon recognizing a target individual in an image extracted from a certain session, the system correlates this target user with one or more of the communication identifiers used in the session. The system automatically identifies IP addresses or other identifiers that are used by target individuals, and enable subsequent tracking of such identifiers.

FIELD OF THE DISCLOSURE

The present disclosure relates generally to communication monitoring, and particularly to methods and systems for monitoring communication traffic based on image processing.

BACKGROUND OF THE DISCLOSURE

Various image processing techniques for recognizing faces in images are known in the art. Face recognition is used in a variety of applications, such as in security, biometry, border control and visa processing systems. Face recognition solutions are offered, for example, by Face.com (Tel Aviv, Israel), L1 Identity Solutions, Inc. (Billerica, Mass.) and Cognitec Systems (Dresden, Germany), among others.

SUMMARY OF THE DISCLOSURE

An embodiment that is described herein provides a method including monitoring communication sessions conducted in a communication network. A digital image and a communication identifier are extracted from a monitored communication session. A known target individual appearing in the extracted image is recognized, and the target individual is associated with the communication identifier.

In some embodiments, recognizing the target individual includes applying a face recognition process to the extracted image so as to recognize a face of the target individual in the image. In an embodiment, recognizing the target individual includes comparing the extracted image to a database of images of target individuals. In a disclosed embodiment, monitoring the communication sessions includes receiving communication traffic from the communication network, and reconstructing the communication sessions from the received communication traffic.

In an embodiment, one or more of the communication sessions is encrypted with a transport-layer cryptographic protocol, and monitoring the communication sessions includes decrypting the cryptographic protocol before extracting the digital image and the communication identifier. In an example embodiment, extracting the communication identifier includes extracting an Internet Protocol (IP) address. In another embodiment, extracting the communication identifier includes extracting an e-mail address. In yet another embodiment, extracting the communication identifier includes extracting a chat nickname.

In another embodiment, monitoring the communication sessions includes monitoring communication packets transferred over a wireless network, and extracting the communication identifier includes extracting an identifier of a wireless communication terminal that participates in the monitored communication session. In an embodiment, the wireless network includes a Wireless Local Area Network (WLAN). In a disclosed embodiment, extracting the communication identifier includes extracting a Medium Access Control (MAC) address that identifies the wireless communication terminal.

In another embodiment, the wireless network includes one of a Global System for Mobile communications (GSM) and a Universal Mobile Telecommunications System (UMTS) Network. In some embodiments, extracting the communication identifier includes correlating an Internet Protocol (IP) address extracted from the monitored communication session with the identifier of the wireless communication terminal.

In some embodiments, extracting the communication identifier includes extracting an application-layer identifier. Extracting the digital image may include extracting one of a still image and a video image. In some embodiments, the method includes outputting an association between the target individual with the communication identifier, so as to act upon one or more other communication sessions of the target individual using the communication identifier. In some embodiments, recognizing the target individual includes recognizing in the extracted image a car license plate that is associated with the target individual. In some embodiments, recognizing the target individual includes recognizing in the extracted image a body feature that is associated with the target individual.

There is additionally provided, in accordance with an embodiment that is described herein, apparatus including an interface and a processor. The interface is connected to a communication network and is configured to monitor communication sessions conducted in the network. The processor is configured to extract from a monitored communication session a digital image and a communication identifier, to recognize a known target individual appearing in the extracted image, and to associate the target individual with the communication identifier.

There is also provided, in accordance with an embodiment that is described herein, a computer software product. The product includes a tangible non-transitory computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer to monitor communication sessions conducted in a communication network, to extract from a monitored communication session a digital image and a communication identifier, to recognize a known target individual appearing in the extracted image, and to associate the target individual with the communication identifier.

The present disclosure will be more fully understood from the following detailed description of the embodiments thereof, taken together with the drawings in which:

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram that schematically illustrates a system for correlating communication traffic with target individuals, in accordance with an embodiment of the present disclosure; and

FIG. 2 is a flow chart that schematically illustrates a method for correlating communication traffic with target individuals, in accordance with an embodiment of the present disclosure.

DETAILED DESCRIPTION OF EMBODIMENTS Overview

Embodiments that are described herein provide improved methods and systems for monitoring communication traffic in communication networks, such as Internet Protocol (IP) traffic transferred over the Internet or over a wireless network. The disclosed techniques identify communication traffic that is associated with target individuals, by extracting digital images from the traffic and recognizing target individuals who appear in the images.

In a typical embodiment, a correlation system monitors communication sessions that are conducted in a communication network. The system extracts two types of information from the monitored sessions: Digital images that are exchanged during the sessions, and communication identifiers, such as IP addresses, which are used in the sessions. The system applies face recognition techniques to the extracted images, attempting to identify known target individuals who appear in the images. For example, the system may compare the extracted images to a database of facial images of target individuals.

Upon recognizing a target individual in an image extracted from a certain session, the system correlates this target user with one or more of the communication identifiers used in the session. For example, the system may detect that a target individual appears in an image that is attached to an e-mail originating from a certain IP address, and thus correlate the target individual with the IP address. Once a correlation of this sort is established, the system regards communication sessions that use the identifier as likely to be conducted by the target individual. Such sessions can be tracked, recorded, prioritized or otherwise acted upon.

The disclosed techniques automatically identify IP addresses or other identifiers that are used by target individuals, and enable subsequent tracking of such identifiers. These techniques are highly effective against target individuals who take measures to evade surveillance, e.g., users who connect to the network from Internet Cafés that use Network Address Translation (NAT), or users who frequently change application-level identifiers such as Radius usernames, e-mail addresses or chat nicknames.

In some embodiments, the monitored communication traffic is encrypted with a cryptographic transport-layer protocol, e.g., SSL or TLS, and the system applies “Man in The Middle” (MITM) techniques to decrypt the traffic before extracting the identifiers and images.

System Description

FIG. 1 is a block diagram that schematically illustrates a system 20 for correlating communication traffic with target individuals, in accordance with an embodiment of the present disclosure. A system of this sort may be used, for example, by intelligence or law enforcement agencies for tracking communication traffic of suspect individuals.

System 20 is connected to a data communication network 24, typically an Internet Protocol (IP) network. Network 24 may comprise, for example, the Internet, an enterprise Intranet, a wireless network (e.g., a cellular network or a Wireless Local Area Network—WLAN—also referred to as Wi-Fi network), or any other public or private network. A cellular network may comprise, for example, a Global System for Mobile communications (GSM) or Universal Mobile Telecommunications System (UMTS) network.

Multiple individuals 28, also referred to as users, conduct communication sessions over network 24 using computers 32 or other computing or communication terminals. In the context of the present patent application and in the claims, the term “communication session” refers to any kind of communication interaction over the network. A session may involve a single user (e.g., sending an e-mail message or uploading a file) or multiple users (e.g., a chat or instant messaging session).

A given session involves the exchange of communication traffic, e.g., IP packets, over the network. The communication traffic of a given session typically comprises communication identifiers such as IP addresses. In some cases the identifiers identify session endpoints, e.g., computers 32 or cellular phones. In other cases identifiers may identify intermediate nodes in the network.

When network 24 comprises a wireless network, e.g., a cellular network that supports IP over General Packet Radio Service (GPRS) or other form of wireless packet communication, the communication identifiers may identify the communication terminals (e.g., cellular phones) participating in the session. Such terminal identifiers may comprise, for example, International Mobile Subscriber Identities (IMSI), International Mobile Equipment Identities (IMEI) or Mobile Subscriber Integrated Services Digital Network Number (MSISDN). In some embodiments, the extracted IP address is correlated with the terminal identifier (e.g., IMSI or IMEI).

In a WLAN (Wi-Fi network), the communication identifier may comprise a Medium Access Control (MAC) address of the terminal. Other example communication identifiers comprise application-layer identifiers such as social network (e.g., Facebook) accounts, user IDs in Web sites such as Picasa, chat nicknames or e-mail addresses.

Tracking the communication traffic of a target individual (e.g., suspected terrorist or criminal) typically involves finding one or more communication identifiers (e.g., IP addresses, email-address or chat nickname) that are associated with the target individual, and tracking the communication traffic associated with these identifiers. In some scenarios, however, it is difficult to associate communication identifiers with target users, especially when the target user is aware of possible surveillance and takes measures to evade it.

For example, target individuals may conduct communication sessions from Internet cafés that use Network Address Translation (NAT). In such a scenario, a NAT router encapsulates the IP addresses of multiple computers located behind it. As a result, the IP addresses that appear in the network traffic is not the IP address of the actual computer used by the individual, and therefore difficult to correlate. In other scenarios, target individuals may hide their IP addresses using other means in order to avoid recognition, such as using standard Web services. In another scenario, a target individual may communicate using a prepaid cellular phone that is not known to the law enforcement agency. Other target individuals may switch e-mail addresses or nicknames.

System 20 is able to correlate communication identifiers with target individuals, even at such problematic scenarios, by analyzing digital images that are extracted from the communication traffic, as will be explained below.

In many cases, users 28 send and receive digital images as part of the communication sessions they conduct over network 24. For example, a user may send or receive e-mail messages with embedded or attached images, or upload images to an image sharing Web-site or a social network page. In these scenarios, the communication traffic of the sessions will comprise the digital images.

The appearance of a target individual in an image obtained from a communication session is a strong indicator that the session is conducted by that individual, or at least that the session is related to that individual. System 20 monitors communication sessions conducted in network 24. The system extracts both digital images and communication identifiers from the monitored sessions. The system attempts to detect target individuals appearing in the images, e.g., by applying face recognition methods to the extracted images. Upon identifying that a target individual appears in an image extracted from a given session, the system correlates that individual with one or more of the communication identifiers extracted from the session.

System 20 may extract images and identifiers from various kinds of communication sessions that are conducted using a variety of applications, such as, for example, e-mail, Web-mail, Peer-to-Peer (P2P), chat, Instant messaging, File transfer Protocol (FTP) applications, social networks, file sharing, image-sharing or video-sharing Web-sites, and/or any other suitable session type.

In the example embodiment of FIG. 1, system 20 comprises a network probe or other network interface 36 for communicating with network 24. System 20 further comprises a correlation processor 40 that carries out the methods described herein. In some embodiments, system 20 comprises a target image database 44 that holds facial images of known target individuals. In these embodiments, processor 40 identifies target individuals in the images extracted from the sessions by comparing the extracted images to the images stored in database 44.

Processor 40 may use any suitable face recognition or other image processing method for detecting the appearance of target individuals in the extracted images. In various embodiments, the processor may use face detection algorithms such as (but not limited to) Viola-Jones object detection framework, Schneiderman & Kanade and Rowley, Baluja & Kanade, and/or face recognition algorithms such as (but not limited to) Principal Component Analysis, Linear Discriminate Analysis, and Elastic Bunch Graph Matching—among others, possibly proprietary, licensed or others.

Processor 40 may take various actions upon correlating a certain communication identifier with a certain target individual. In the present example, processor 40 reports the identified correlation to a monitoring center 48 for presenting to an operator 52. Additionally or alternatively, processor 40 may store the correlation, e.g., in database 44, for future reference.

Processor 40 and/or monitoring center 48 may act upon the identified correlation in various ways using the communication identifier. For example, communication sessions comprising this identifier can be tracked with high priority or recorded for future analysis. Additionally or alternatively, an alert may be triggered upon detecting new communication sessions comprising the identifier. In some embodiment, the correlation operation is performed in real time, so that subsequent communication sessions can be tracked or otherwise acted upon immediately as they are intercepted. In some embodiments, the correlation can be applied to communication sessions that were previously monitored and recorded for off-line analysis.

The configuration of system 20 shown in FIG. 1 is an example configuration, which is chosen purely for the sake of conceptual clarity. In alternative embodiments, any other suitable system configuration can also be used. Some elements of system 20 may be implemented in hardware, e.g., in one or more Application-Specific Integrated Circuits (ASICs) or Field-Programmable Gate Arrays (FPGAs). Additionally or alternatively, some system elements can be implemented using software, or using a combination of hardware and software elements. Database 44 may be implemented using any suitable type of memory, such as using one or more magnetic or solid state memory devices.

Typically, processor 40 comprises a general-purpose processor, which is programmed in software to carry out the functions described herein. The software may be downloaded to the processor in electronic form, over a network, for example, or it may, alternatively or additionally, be provided and/or stored on non-transitory tangible media, such as magnetic, optical, or electronic memory.

Correlation Method Description

FIG. 2 is a flow chart that schematically illustrates a method for correlating communication traffic with target individuals, in accordance with an embodiment of the present disclosure. The method begins with network interface 36 monitoring IP traffic of network 24, at a monitoring step 60. Correlation processor 40 processes the monitored IP traffic in order to reconstruct communication sessions, at a session reconstruction step 64.

Having reconstructed the communication sessions, processor 40 extracts digital images and communication identifiers from the sessions, at an extraction step 68. Processor 40 may identify and extract various types of digital images, such as bitmap images, JPEG images, TIFF images or any other suitable image type. Additionally or alternatively to still images, processor 40 may identify and extract video images of any suitable format, such as MPEG.

Processor 40 compares the extracted images to the images of the known target individuals in database 44, at a matching step 44. Any suitable face recognition method can be used for this purpose. Processor 40 checks whether a match is found, at a checking step 76. If no target individual is found to appear in the images, the method loops back to step 60 above and the system continues to monitor IP traffic.

If processor 40 detects the appearance of a target individual in an image extracted from a given session, the processor establishes a correlation between the target individual and one or more of the communication identifiers extracted from that session, at a correlation step 80. Processor 40 and/or monitoring center 48 tracks or otherwise acts upon one or more other communication sessions comprising the identifier in question, at a tracking step 84.

Integration with MITM

In some embodiments, some or all of the IP traffic monitored by system 20 is encrypted in accordance with a cryptographic transport-layer protocol, e.g., SSL or TLS. When such a protocol is identified, processor 40 decrypts the transport-layer encryption before extracting the images and communication identifiers. In these embodiments, the monitored traffic is diverted to pass through system 20 before reaching its intended destination. After decrypting the traffic, processor 40 re-encrypts the traffic with the applicable transport-layer encryption and sends the re-encrypted traffic to its intended destination.

Processor 40 may use various techniques for decrypting and re-encrypting the transport-layer encryption. In some embodiments, the transport-layer encryption comprises a public-key encryption scheme in which one end of the link provides a security certificate to the other end. In some embodiments, processor 40 replaces the certificate with a substitute certificate, and is therefore able to decrypt the transport-layer encryption. Processes of this sort are sometimes referred to as SSL Man in The Middle (SSL MITM) and are described, for example, by Soghoian and Stamm, in “Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL,” April, 2010, which is incorporated herein by reference.

When using SSL MITM, processor 40 typically intervenes in SSL sessions as they are established or negotiated. In the connection process, processor 40 transparently establishes two SSL sessions, one with each endpoint of the communication session. Each SSL session terminates at processor 40. Nevertheless, processor 40 ensures that the TCP connection between the two endpoints of the communication session remains intact and valid and the TCP ACK loop continues to operate between them. Terminating and re-originating SSL sessions allows processor 40 to extract the data from the encrypted payload for further processing. The SSL MITM technique typically does not involve any network identifiers of its own (e.g., IP address or MAC address), and is therefore undetectable by the users.

Example inspection techniques that use substitute certificates are offered, for example, by Blue Coat Systems (Sunnyvale, Calif.), and by Check Point Software Technologies (Tel Aviv, Israel). Example inspection solutions that are produced by Netronome Systems, Inc. (Cranberry Twp., Pa.) are described in “Examining SSL-Encrypted Communications—Netronome SSL Inspector™ Solution Overview,” February, 2010, which is incorporated herein by reference. SSL inspection products are also offered by Packet Forensics, Inc. (Tempe, Ariz.). Processor 40 may use any of these techniques, or any other suitable technique.

Although the embodiments described herein mainly address face recognition, the disclosed techniques may also be implemented using any other suitable image processing method that is able to identify specific individuals in digital images. Such a method may identify, for example, unique body features such as tattoos that are characteristic of the target individuals. As another example of recognizing target individuals using image processing, processor 40 may identify the license plate number of a car that appears in the extracted images. If the recognized license plate number is known to belong to a target individual, this recognition can be used as an indication that this individual is associated with the session.

It will thus be appreciated that the embodiments described above are cited by way of example, and that the present disclosure is not limited to what has been particularly shown and described hereinabove. Rather, the scope of the present disclosure includes both combinations and sub-combinations of the various features described hereinabove, as well as variations and modifications thereof which would occur to persons skilled in the art upon reading the foregoing description and which are not disclosed in the prior art. Documents incorporated by reference in the present patent application are to be considered an integral part of the application except that to the extent any terms are defined in these incorporated documents in a manner that conflicts with the definitions made explicitly or implicitly in the present specification, only the definitions in the present specification should be considered. 

The invention claimed is:
 1. A method comprising: monitoring, by an interface operatively coupled to a processor of a first computing system, using a Man in The Middle (MITM) protocol, remote communication sessions conducted in a communication network, wherein each monitored communication session comprises an exchange of communication traffic exchanged between communication terminals of the communication network; extracting, by the processor of the first computing system, a digital image and a first and second communication identifiers from a monitored communication session, wherein the first communication identifier identifies at least one of the communication terminals of the monitored communication session, wherein the second identifier is an application-layer communication identifier comprising an e-mail address or chat nickname used in the monitored communication session; detecting, by the processor of the first computing system, whether a known target individual appears in the extracted image, wherein the detecting comprises comparing, by the processor, the extracted image to images previously identified as being of the known target individual; and upon the detection identifying that the known target individual appears in the extracted image: establishing, by the processor of the first computing system, a correlation between the known target individual and the extracted communication identifiers, and reporting to a second computing system, by the processor of the first computing, the established correlation, wherein the second computing system is separate from the first computing system, and wherein the second computing system is configured to utilize the reported established correlation to track subsequent communication sessions that include the first or second communication identifiers, wherein the correlation between the known target individual and the communication identifiers is not known to the second computing system prior to the first computing system reporting the correlation to the second computing system.
 2. The method according to claim 1, wherein the detecting of the target individual, by the processor, comprises applying a face recognition process to the extracted image so as to recognize a face of the target individual in the image.
 3. The method according to claim 1, wherein monitoring the communication sessions comprises receiving communication traffic from the communication network, and reconstructing the communication sessions from the received communication traffic.
 4. The method according to claim 1, wherein one or more of the communication sessions is encrypted with a transport-layer cryptographic protocol, and wherein monitoring the communication sessions comprises decrypting the cryptographic protocol before extracting the digital image and the first and second communication identifiers.
 5. The method according to claim 1, wherein monitoring the communication sessions comprises monitoring communication packets transferred over a wireless network, and wherein extracting the first communication identifier comprises extracting an identifier of a wireless communication terminal that participates in the monitored communication session.
 6. The method according to claim 5, wherein the wireless network comprises a Wireless Local Area Network (WLAN) and the first communication identifier comprises extracting a Medium Access Control (MAC) address that identifies the wireless communication terminal.
 7. The method according to claim 5, wherein the wireless network comprises one of a Global System for Mobile communications (GSM) and a Universal Mobile Telecommunications System (UMTS) Network.
 8. The method according to claim 1, wherein the detecting of the target individual, by the processor, comprises recognizing in the extracted image a car license plate that is associated with the target individual.
 9. The method according to claim 1, wherein the detecting of the target individual, by the processor, comprises recognizing in the extracted image a body feature that is associated with the target individual.
 10. An apparatus comprising: an interface, which is connected to a communication network and is configured to monitor remote communication sessions conducted in the network using a Man in The Middle (MITM) protocol, wherein each monitored communication session comprises an exchange of communication traffic exchanged between communication terminals of the communication network; and a processor operatively coupled to the interface, which is configured to: extract from a monitored communication session, a digital image and a first and second communication identifier, wherein the first communication identifier identifies at least one of the communication terminals of the monitored communication session, wherein the second identifier is an application-layer communication identifier comprising an e-mail address or chat nickname used in the monitored communication session; detect whether a known target individual appears in the extracted image, wherein the detection comprises comparing the extracted image to images previously identified as being of the known target individual; and upon detecting that the known target individual appears in the extracted image, establish a correlation between the known target individual and the extracted communication identifiers, and report the established correlation to a computing system that is separate from the apparatus, wherein the computing system is configured to utilize the communication identifier of the reported established correlation to track subsequent communication sessions that include the first or second communication identifiers, wherein the correlation between the known target individual and the communication identifiers is not known to the computing system prior to the apparatus reporting the correlation to the computing system.
 11. The apparatus according to claim 10, wherein the processor is configured to apply a face recognition process to the extracted image so as to recognize a face of the target individual in the image.
 12. The apparatus according to claim 10, wherein the processor is configured to receive communication traffic from the communication network, and to reconstruct the communication sessions from the received communication traffic.
 13. The apparatus according to claim 10, wherein one or more of the communication sessions is encrypted with a transport-layer cryptographic protocol, and wherein the processor is configured to decrypt the cryptographic protocol before extracting the digital image and the first and second communication identifiers.
 14. The apparatus according to claim 10, wherein the communication sessions comprise communication packets transferred over a wireless network, and wherein the first communication identifier comprises an identifier of a wireless communication terminal that participates in the monitored communication session.
 15. The apparatus according to claim 14, wherein the wireless network comprises a Wireless Local Area Network (WLAN), and wherein the first communication identifier comprises a Medium Access Control (MAC) address that identifies the wireless communication terminal.
 16. The apparatus according to claim 14, wherein the wireless network comprises one of a Global System for Mobile communications (GSM) and a Universal Mobile Telecommunications System (UMTS) Network.
 17. The apparatus according to claim 14, wherein the processor is configured to correlate an Internet Protocol (IP) address extracted from the monitored communication session with the first identifier of the wireless communication terminal.
 18. A computer software product, the product comprising a tangible non-transitory computer-readable medium, in which program instructions are stored, which instructions, when read by a first computing system, cause the first computing system to: monitor, using a Man in the Middle (MITM) protocol, remote communication sessions conducted in a communication network, wherein each monitored communication session comprises an exchange of communication traffic exchanged between communication terminals of the communication network; extract from a monitored communication session, a digital image and a first and second communication identifier, wherein the first communication identifier identifies at least one of the communications terminals of the monitored communication session, wherein the second identifier is an application-layer communication identifier comprising an e-mail address or chat nickname used in the monitored communication session; detect whether a known target individual appears in the extracted image, wherein the detecting comprises comparing the extracted image to images previously identifies as being of the known target individual; and upon the detection identifying that the known target individual appears in the extracted image, establish a correlation between the known target individual and the extracted communication identifiers, and report the established correlation to a second computing system that is separate from the first computing system, wherein the second computing system is configured to utilizes the reported established correlation to track communication subsequent sessions that include the first or second communication identifiers, wherein the correlation between the known target individual and the communication identifiers is not known to the second computing system prior to the first computing system reporting the correlation to the second computing system. 